npm - @better-update/cli - Versions diffs - 0.44.0 → 0.45.0 - Mend

@better-update/cli 0.44.0 → 0.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.mjs CHANGED Viewed

@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 //#endregion
 //#region package.json
-var version = "0.44.0";
+var version = "0.45.0";
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -23861,7 +23861,7 @@ const wrapKeyCreate = (run) => Effect.tryPromise({
 		});
 	}
 });
-const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+const writeRescueP8$1 = (keyId, p8Pem) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = `AuthKey_${keyId}.p8`;
 	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
@@ -23892,7 +23892,7 @@ const generateAndUploadApnsKeyViaAppleId = (api, input) => Effect.gen(function*
 				...compact({ appleTeamName: toOptional(input.appleTeamName) })
 			} });
 		}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
-			const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const rescuePath = yield* writeRescueP8$1(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
 			const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials generate push-key --p8 ${rescuePath} --key-id ${key.id} --apple-team-id ${input.appleTeamIdentifier}\``;
 			return yield* new AppleIdGenerateFailedError({
 				step: "store-apns-key",
@@ -28373,6 +28373,93 @@ const androidMenu = (ctx) => Effect.gen(function* () {
 	yield* androidMenu(ctx);
 });
+//#endregion
+//#region src/lib/credentials-generator-asc-key.ts
+const toUserRole = (role) => role === "APP_MANAGER" ? AppleUtils.UserRole.APP_MANAGER : AppleUtils.UserRole.ADMIN;
+/** Default nickname shown in App Store Connect → Users and Access → Integrations. */
+const defaultAscApiKeyNickname = () => `[better-update] ${(/* @__PURE__ */ new Date()).toISOString()}`;
+const ASC_KEY_NOT_READY_PATTERN = /no resource of type|resource does not exist/iu;
+const ASC_KEY_DOWNLOAD_RETRY = Schedule.exponential("1 second", 2).pipe(Schedule.intersect(Schedule.recurs(6)));
+const downloadAscKeyWithRetry = (key) => Effect.tryPromise({
+	try: async () => key.downloadAsync(),
+	catch: (cause) => new AppleIdGenerateFailedError({
+		step: "apple-download-asc-key",
+		message: messageOf(cause)
+	})
+}).pipe(Effect.flatMap((pem) => pem === null || pem.length === 0 ? Effect.fail(new AppleIdGenerateFailedError({
+	step: "apple-download-asc-key",
+	message: "App Store Connect returned no private key for the new API key — it may already have been downloaded. A key can only be downloaded once; create a new one or upload the .p8 manually with `credentials upload-asc-key`."
+})) : Effect.succeed(pem)), Effect.retry({
+	while: (error) => ASC_KEY_NOT_READY_PATTERN.test(error.message),
+	schedule: ASC_KEY_DOWNLOAD_RETRY
+}), Effect.catchIf((error) => ASC_KEY_NOT_READY_PATTERN.test(error.message), () => Effect.fail(new AppleIdGenerateFailedError({
+	step: "apple-download-asc-key",
+	message: "App Store Connect is still provisioning the new API key (this can take up to a minute). The key was created — re-run shortly, or download the .p8 from App Store Connect → Users and Access → Integrations and import it with `credentials upload-asc-key`."
+}))));
+const writeRescueP8 = (keyId, p8Pem) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	const filePath = `AuthKey_${keyId}.p8`;
+	yield* fs.writeFileString(filePath, p8Pem, { mode: 384 });
+	return filePath;
+});
+/**
+* Create an App Store Connect API key from the Apple ID cookie session, download
+* its one-shot `.p8`, resolve the issuer id, and store the sealed envelope in the
+* vault — the zero-knowledge equivalent of downloading a key from App Store Connect
+* and running `credentials upload-asc-key`, but without the manual round-trip.
+*/
+const generateAndUploadAscApiKeyViaAppleId = (api, input) => Effect.gen(function* () {
+	const ctx = input.context;
+	const key = yield* wrap("apple-create-asc-key", async () => AppleUtils.ApiKey.createAsync(ctx, {
+		nickname: input.nickname,
+		allAppsVisible: true,
+		roles: [toUserRole(input.role)],
+		keyType: AppleUtils.ApiKeyType.PUBLIC_API
+	}));
+	const p8Pem = yield* downloadAscKeyWithRetry(key);
+	const displayName = input.name ?? key.id;
+	const stored = yield* Effect.gen(function* () {
+		const issuerId = (yield* wrap("apple-fetch-asc-key", async () => AppleUtils.ApiKey.infoAsync(ctx, { id: key.id }))).attributes.provider?.id;
+		if (issuerId === void 0 || issuerId.length === 0) return yield* new AppleIdGenerateFailedError({
+			step: "resolve-issuer-id",
+			message: "App Store Connect did not return an issuer ID for the new key. Find it under Users and Access → Integrations and import the .p8 with `credentials upload-asc-key`."
+		});
+		const metadata = compact({
+			name: displayName,
+			keyId: key.id,
+			issuerId,
+			appleTeamIdentifier: input.appleTeamIdentifier
+		});
+		const envelope = yield* sealForUpload({
+			session: yield* openVaultSessionInteractive(api),
+			credentialType: "asc-api-key",
+			metadata,
+			secret: { p8Pem }
+		});
+		return {
+			id: (yield* api.ascApiKeys.upload({ payload: {
+				...toUploadEnvelope(envelope),
+				...metadata
+			} })).id,
+			issuerId
+		};
+	}).pipe(Effect.catchAll((cause) => Effect.gen(function* () {
+		const rescuePath = yield* writeRescueP8(key.id, p8Pem).pipe(Effect.catchAll(() => Effect.succeed(null)));
+		const where = rescuePath === null ? "could not be saved locally and is now unrecoverable" : `was saved to ${rescuePath} — re-import with \`credentials upload-asc-key --p8 ${rescuePath} --key-id ${key.id}\` (find the issuer ID under App Store Connect → Users and Access → Integrations)`;
+		return yield* new AppleIdGenerateFailedError({
+			step: "store-asc-key",
+			message: `Created App Store Connect API key ${key.id} on Apple but failed to store it (${messageOf(cause)}). The downloaded .p8 ${where}.`
+		});
+	})));
+	return {
+		id: stored.id,
+		keyId: key.id,
+		issuerId: stored.issuerId,
+		name: displayName,
+		role: input.role
+	};
+});
 //#endregion
 //#region src/application/credentials-manager-ios-asc.ts
 const uploadIosAscKey = (ctx) => Effect.gen(function* () {
@@ -28392,6 +28479,33 @@ const uploadIosAscKey = (ctx) => Effect.gen(function* () {
 	yield* Console.log("ASC API key uploaded.");
 	yield* printKeyValue([["ID", created.id], ["Key ID", keyId]]);
 });
+const generateAscKeyViaAppleId = (ctx) => Effect.gen(function* () {
+	const auth = yield* AppleAuth;
+	const session = yield* auth.ensureLoggedIn();
+	const role = yield* promptSelect("Select a role for the generated API key", [{
+		value: "ADMIN",
+		label: "ADMIN (default)"
+	}, {
+		value: "APP_MANAGER",
+		label: "APP_MANAGER (least privilege for app management)"
+	}]);
+	yield* Console.log("Creating an App Store Connect API key via your Apple ID...");
+	return yield* generateAndUploadAscApiKeyViaAppleId(ctx.api, {
+		context: auth.buildRequestContext(session),
+		appleTeamIdentifier: session.teamId,
+		nickname: defaultAscApiKeyNickname(),
+		role
+	});
+});
+const createIosAscKeyViaAppleId = (ctx) => Effect.gen(function* () {
+	const created = yield* generateAscKeyViaAppleId(ctx);
+	yield* Console.log(`Created and stored ASC API key ${created.keyId}.`);
+	yield* printKeyValue([
+		["ID", created.id],
+		["Key ID", created.keyId],
+		["Issuer ID", created.issuerId]
+	]);
+});
 const bindIosAscKey = (ctx) => Effect.gen(function* () {
 	const keys = yield* ctx.api.ascApiKeys.list();
 	if (keys.items.length === 0) return yield* new MissingCredentialsError({
@@ -28428,18 +28542,26 @@ const uploadNewAscKey = (ctx) => Effect.gen(function* () {
 });
 const setupProjectAscApiKey = (ctx) => Effect.gen(function* () {
 	const keys = yield* ctx.api.ascApiKeys.list();
-	const choice = keys.items.length === 0 ? "upload" : yield* promptSelect("How would you like to set up the ASC key?", [{
-		value: "existing",
-		label: `Use an existing ASC API key (${String(keys.items.length)})`
+	const baseChoices = [{
+		value: "generate",
+		label: "Create a new ASC API key from your Apple ID (no .p8 needed)"
 	}, {
 		value: "upload",
-		label: "Upload a new ASC API key"
-	}]);
+		label: "Upload an existing .p8 key"
+	}];
+	const choice = keys.items.length === 0 ? yield* promptSelect("How would you like to set up the ASC key?", baseChoices) : yield* promptSelect("How would you like to set up the ASC key?", [{
+		value: "existing",
+		label: `Use an existing ASC API key (${String(keys.items.length)})`
+	}, ...baseChoices]);
 	const config = yield* promptForBundleConfig(ctx);
-	const ascKeyId = choice === "upload" ? yield* uploadNewAscKey(ctx) : yield* promptSelect("Select an ASC API key to bind", keys.items.map((key) => ({
-		value: key.id,
-		label: `${key.name} (${key.keyId})`
-	})));
+	const ascKeyId = yield* Effect.gen(function* () {
+		if (choice === "generate") return (yield* generateAscKeyViaAppleId(ctx)).id;
+		if (choice === "upload") return yield* uploadNewAscKey(ctx);
+		return yield* promptSelect("Select an ASC API key to bind", keys.items.map((key) => ({
+			value: key.id,
+			label: `${key.name} (${key.keyId})`
+		})));
+	});
 	yield* ctx.api.iosBundleConfigurations.update({
 		path: { id: config.id },
 		payload: { ascApiKeyId: ascKeyId }
@@ -28453,6 +28575,10 @@ const iosAscKeysMenu = (ctx) => Effect.gen(function* () {
 			value: "setup",
 			label: "Set up your project to use an ASC API Key"
 		},
+		{
+			value: "create",
+			label: "Create a new ASC API key from your Apple ID (no .p8 needed)"
+		},
 		{
 			value: "upload",
 			label: "Add a new ASC API key"
@@ -28472,6 +28598,7 @@ const iosAscKeysMenu = (ctx) => Effect.gen(function* () {
 	]));
 	if (choice === "__back__") return;
 	if (choice === "setup") yield* safely("set up ASC key", setupProjectAscApiKey(ctx));
+	else if (choice === "create") yield* safely("create ASC key", createIosAscKeyViaAppleId(ctx));
 	else if (choice === "upload") yield* safely("upload ASC key", uploadIosAscKey(ctx));
 	else if (choice === "bind") yield* safely("bind ASC key", bindIosAscKey(ctx));
 	else if (choice === "delete") yield* safely("delete ASC key", pickAndDelete(ctx, "asc-api-key", "ASC API key"));
@@ -30353,6 +30480,66 @@ const envVaultCommand = defineCommand({
 	default: "status"
 });
+//#endregion
+//#region src/commands/credentials/generate-asc-key.ts
+const ASC_KEY_EXIT_EXTRAS = {
+	CredentialValidationError: 2,
+	AppleIdGenerateFailedError: 6,
+	AppleAuthError: 4,
+	InteractiveProhibitedError: 4
+};
+const normalizeRole = (raw) => {
+	if (raw === void 0) return Effect.succeed("ADMIN");
+	const upper = raw.trim().toUpperCase();
+	if (upper === "ADMIN" || upper === "APP_MANAGER") return Effect.succeed(upper);
+	return Effect.fail(new CredentialValidationError({ message: `Unknown ASC API key role "${raw}". Use ADMIN or APP_MANAGER.` }));
+};
+const ascKeyCommand = defineCommand({
+	meta: {
+		name: "asc-key",
+		description: "Create an App Store Connect API key (.p8) directly from your Apple ID login — no manual download. Stored encrypted in your vault, it can issue certificates, sync devices, and upload builds. Requires the Account Holder to have agreed to the API Terms once under Users and Access → Integrations."
+	},
+	args: {
+		role: {
+			type: "string",
+			description: "ADMIN (default) or APP_MANAGER (least privilege)"
+		},
+		name: {
+			type: "string",
+			description: "Display name for the stored key (defaults to the key ID)"
+		},
+		nickname: {
+			type: "string",
+			description: "Nickname shown in App Store Connect (defaults to a timestamped name)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const role = yield* normalizeRole(args.role);
+		const api = yield* apiClient;
+		const auth = yield* AppleAuth;
+		const session = yield* auth.ensureLoggedIn();
+		yield* printHuman("Creating an App Store Connect API key via your Apple ID...");
+		const created = yield* generateAndUploadAscApiKeyViaAppleId(api, {
+			context: auth.buildRequestContext(session),
+			appleTeamIdentifier: session.teamId,
+			nickname: args.nickname ?? defaultAscApiKeyNickname(),
+			role,
+			...compact({ name: args.name })
+		});
+		yield* printHuman("App Store Connect API key created and stored.");
+		yield* printHumanKeyValue([
+			["ID", created.id],
+			["Key ID", created.keyId],
+			["Issuer ID", created.issuerId],
+			["Role", created.role]
+		]);
+		return created;
+	}), {
+		exits: ASC_KEY_EXIT_EXTRAS,
+		json: "value"
+	})
+});
 //#endregion
 //#region src/lib/credentials-generator-merchant.ts
 /**
@@ -30856,6 +31043,7 @@ const generateCommand$1 = defineCommand({
 		"provisioning-profile": provisioningProfileCommand,
 		"push-key": pushKeyCommand$1,
 		"merchant-id": merchantIdCommand,
+		"asc-key": ascKeyCommand,
 		"gsa-key": gsaKeyCommand
 	}
 });